Iran attacked by prank 'AC/DC' malware, expert reports

Iran's nuclear programme might recently have been attacked by unidentified malware that played Thunderstruck by Anglo-Australian heavy metal band AC/DC as part of its programmed behaviour, a security expert has reported.

Iran's nuclear programme might recently have been attacked by unidentified malware that played Thunderstruck by Anglo-Australian heavy metal band AC/DC as part of its programmed behaviour, a security expert has reported.

News of the unlikely-sounding 'worm' was sent in an email to well-known F-Secure chief research officer, Mikko Hypponen from an unamed source claiming to be an Iranian nuclear scientist.

“I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom,” said the mysterious source.

“According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down. I only know very little about these cyber issues as I am scientist not a computer expert,” the message continued.

The Thunderstruck track played randomly on several workstations at maximum volume in the middle of the night, the source added.

Hypponen expressed scepticism about the claim although the email had come from a verified address within the Atomic Energy Organisation of Iran (AEOI), he confirmed.

An elaborate hoax or a sign that Iran's enemies have a sense of humour and a taste for heavy metal? “I'm not sure what to think about this,” said Hypponen in fence-sitting mode.

On the face of it, a Trojan good enough to penetrate the systems of Iran's nuclear programme would be unlikely to advertise its presence by playing loud music.

Could it be a third-party malware programme that somehow sneaked on to the systems by accident? Again unlikely; criminal malware never advertises its presence and such malware behaviour would have been reported in other countries.

One possibility is that it was written by someone closer to the programme as an act of prankish subversion – or it doesn't exist and the whole email was concocted as a joke.

Iran has, as everyone now knows, been struck in recent times by several pieces of sophisticated malware, including Stuxnet in the years to 2010, Duqu in 2011 and Flame until 2012.

Can the world add the 'Thunderstruck attack' to that list? We will probably never know but it might serve as some advertising for the band's next scheduled tour. As for Hypponen, he is probably regretting ever mentioning it.